Presentation Information of Daniel Greenwood (dan@civics.com)
for the 7/24/97 Public Forum on Certificate Authorities and Digital Signatures held at NIST

Slide Presentation and Annotations: Each page of this document
corresponds to a transparency that was presented at the July 24 public
forum. In addition, each page has been annotated with notes to provide
further context and background. _ _ _ _ _ _ _ _ 1.

Appendix A: Statement on the relationship between
state and federal law for electronic authentication delivered to the
Domestic and International Monetary Policy Subcommittee of the
Committee on Banking and Financial Services of the United States House
of Representatives, July 9, 1997. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ 11.

Appendix B: Information related to the Virtual State
House Project. This is a graduate course and a work shop at the
Massachusetts Institute of Technology that centers on legal, policy,
design and technical issues of online government and electronic
commerce with special emphasis on state government issues. _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ 15.

Appendix E: Digital Signature Mock Trial. The purpose
of this exercise is to explore legal ramifications of deploying digital
signature technology as a business tool, including: what grounds may
exist for legal cause of action, what issues arise relative to
preserving certain evidence for trial, how might certain contract terms
be interpreted, etc. This is planned for the fall of 1997 and will take
place via a collaborative web site. _ _ _ _ _ _ 19.

Appendix H: E-Mail to UNCITRAL List Serve. This E-mail
message outlines the differences in legislative approach between Utah
and Massachusetts and exemplifies the dialogue underway at the state
level relating to digital signature law and policy. _ _ _ 47.

Daniel Greenwood, Deputy General Counsel

Information Technology Division, Commonwealth of Massachusetts

http://www.state.ma.us/itd/legal

dan@civics.com

JULY 24, 1997

Public Forum on Certificate Authorities

and Digital Signatures:

Enhancing Global Electronic Commerce

==== Comments on Slide ====

Introductory slide

http://www.state.ma.us/itd/legal

INTRODUCTION

* Background and Context

* State Legislation

* Pro-Market Approach

* Accreditation: Public/Private

* Forums

==== Comments on Slide ====

This slide previews the contents of the presentation.

http://www.state.ma.us/itd/legal

Background and Context

"The Citizens Would Rather

Be On-Line Than In Line"

* Why states care

* What states do

* How states act

==== Comments on Slide ====

This slide sets the background and context of state government
interest in these matters. Why states care: because this technology
holds the potential for use by states as a tool for efficient public
administration and, in the private sector, the technology can foster
electronic commerce, broader economic development and other societally
useful purposes. What states do: states are huge business operations
that would benefit, like any other business, from the capacity to use
secure online communications to reduce costs and enhance service
quality (our logo is "the citizens would rather be online than in
line"). How states act: this is a critical point. Many proponents of
government action in the area of digital signatures and CAs seek
statutes. Legislation that intervenes in the market by picking
technology winners, apportioning liability among private parties to
electronic transactions, granting special liability limitations for
certain parties, or otherwise introducing regulatory proscribed
behavior beyond that currently required under other bodies of law
(consumer law, contract law, commercial law, existing regulatory
oversight, etc.) is premature at best and risks harming the market
evolution toward implementations which are workable from a technical
and business perspective. Other ways states and governments act should
be explored as better methods to promote electronic commerce at this
early stage of market development. For instance, tax policy must be
reformed so that no new net-specific taxes are levied and a tangle of
inconsistent tax regimes do not emerge (and tax reductions should be
seriously considered as a growth incentive measure). Furthermore,
public procurement and government electronic filing/registration/etc.
requirements are direct methods for promoting the use of these
technologies.

http://www.state.ma.us/itd/legal

State Legislation

* Electronic Signatures

- Common Law/Quill Pens

- "Any symbol or method with

present intent to be bound"

* Secure Signatures

==== Comments on Slide ====

An "Electronic Signature" refers to any electronic authentication
method that would meet the common law requirements for a signature.
Under the common law, any mark or symbol would qualify as an
enforceable signature if it were executed with an intent to be bound or
to authenticate a record. No particular security is required to create
a signature that is potentially legally binding. For instance,
signatures written in pencil on paper can be enforceable. Courts have
long held typed signatures on paper and (more recently) even on e-mail
to be legally enforceable as well. However, as a rule of thumb, the
better security surrounding a given signature, the more weight that
signature is likely to be afforded in a court of law or other
decisional forum (from simple negotiations to formal arbitration). This
issue arises most sharply when a party attempts to repudiate (deny)
having signed (authenticated) a record. A "Secure Signature" refers to
a subset of electronic signatures that possess some security features
that would enhance reliability of the authenticity of the signature.
Legislation that merely recognizes the validity of electronic
signatures generally has been adopted by Virginia, Texas, Florida,
Rhode Island and other states. While these laws probably just restate
the result a court should reach under the common law, some people are
still confused or uncertain about whether an electronic signature is
"legal." Furthermore, electronic signature laws serve the vital purpose
of eliminating antiquated "quill pen" laws that require certain
documents to be "signed in ink" or provide other inappropriate medium
specific requirements. Reform, amendment or repeal of such laws clears
the decks for electronic commerce.

http://www.state.ma.us/itd/legal

State Legislation

* Electronic Signatures

* Secure Signatures

- California: Criteria-Based

- Utah: Digital Signature

Licensed CA

Liability/Presumptions

==== Comments on Slide ====

A "Secure Signature" refers to a subset of electronic signatures
that possess some security features that would enhance reliability of
the authenticity of the signature. For example, a "Digital Signature"
(one created by use of public key cryptography and a message digest) is
a type of secure signature. If the digital signature is verifiable by
reference to an X.509 digital certificate that was issued by a reliable
CA, then the signature can be deemed even more secure. The states of
Utah and Washington have adopted "Digital Signature" legislation. While
this legislation does confirm the validity of digital signatures, it
does not similarly confirm the validity of electronic signatures
(though it does not restrict validity of other types of electronic
signatures). In addition, Utah/Washington legislation would create a
rebuttable presumption that the digital signature is that of the person
it purports to be from. The theory is that since digital signature
technology is more secure than other types of electronic signatures, it
deserves special statutory evidentiary weight. Furthermore, this
legislation creates state government licensing of CAs and provides for
the limitation of liability for licensed CAs. Another form of secure
signature legislation was adopted by the state of California.
California chose to enumerate certain security criteria rather than
specify digital signatures alone. Under the California law, signatures
must meet the following requirements: (1) it is unique to the person
using it; (2) it is capable of verification; (3) it is under the sole
control of the person using it; (4) it is linked to data in such a
manner that if the data are changed, the digital signature is
invalidated; and (5) it conforms to regulations adopted by the
Secretary of State. [Some people talk about the need for legislation
that will make a digital signature "valid and enforceable." Such an
approach is dangerous because it goes too far. It is more accurate to
say we need certainty that such a signature will not be invalid merely
because it is in electronic form. There are many other areas of law
that would, and should, render even a reliable digital signature
"invalid" or "unenforceable" - such as if the signature signed a
contract to perform a criminal act, or if the signer was a minor, or
any number of other defenses or factors. It is important to tailor any
electronic authentication legislation to achieve narrow and understood
goals, because many other areas of law are implicated at the state and
federal levels.]

http://www.state.ma.us/itd/legal

State Legislation

* Exceptions

- Wills and Trusts

- Real Estate

- Negotiable Instruments

- Notice/Solemnity/Intent

- FOIA: Private Key

==== Comments on Slide ====

It is interesting to note areas of law or practice that are exempted
from the scope of legislation. Some legislation provides for no
exceptions. Important policy questions are raised by each of these
areas. For instance, for the foreseeable future, some citizens and
consumers will not have access to electronic commerce tools. Thus,
statutes that call for signed notices and similar protections must be
studied. The Massachusetts General Laws contain no less than 4,515
references to writings and signings (many of which provide for notice
requirements). The effect of electronic or digital signature
legislation in these areas should be closely examined and, in the end,
states and the federal government should agree on a consistent approach
to this issue. Proposed federal preemptive law that would interfere
with existing state laws in these and other areas should be studied for
several decades prior to action (just kidding - but there is a serious
risk that federal law in this area will create undue, unwise and
unwelcome changes in core areas of state law unless drafted in close
cooperation with state policy makers).

http://www.state.ma.us/itd/legal

Mass. Statutory Approach:

* Slow Move to Secure Sig. Law

* Technology Neutral/Reform Quill-Pen Laws

Mass. Policy Approach:

* Promote Competitive Market

* Harmonize Practice and Law/Develop PKI

==== Comments on Slide ====

Why be slow to move toward secure signature law? Most (nearly all)
citizens and businesses do not possess or use especially secure
computing systems at this time. While smart cards and other
technologies hold the promise of more secure implementations of PKI for
the future, the current technical and business practice environment is
not secure enough to warrant an evidentiary presumption against one who
purportedly used a digital signature - but the current state of
technology and market adoption is certainly sufficient to warrant the
promotion of electronic commerce under existing legal principles.
Furthermore, since no system has yet been devised to prevent forgery
(including PKI), it appears that for the foreseeable future some
parties who repudiate signatures will actually be telling the truth (in
fact, I am litigating a case now where my client is the victim of an
indisputable ink on paper forgery - the electronic equivalent for this
case is not unprecedented). Particularly where the law applies to
consumers (as distinct from business to business), current evidentiary
processes should remain in effect. Any reversal of the burden of proof
against a signer should occur only after a period of experience with
widely used electronic authentication systems and scrutiny of known
forgery rates and other reliability factors related to those systems.
As a general principle, special statutory benefits (liability limits,
other regulatory safe-harbors, evidentiary presumptions, etc.) should
not be gifted to any technology users or industries in an attempt to
kindle electronic commerce. No market has ever been regulated into
existence. Markets are created as a result of supply and demand. The
law and government policy in this area should promote a competitive
market place for PKI and for other technologies. Clearing legal
obstacles makes sense - but affirmatively providing regulatory benefits
risks legislatively enshrining incorrect guesses about the best
technology and business practices (thus chilling innovation and market
evolution of the most efficient approaches). Law in this area should
follow and reflect market realities (like the Commercial Code) and not
attempt to lead the market. Hence, technology neutral laws that assure
the common law is properly applied to electronic authentication is
appropriate. In general, statutes and policies need to be coordinated
at the state and federal levels. However, the primary focus of
government policy at this time should be the facilitation of
coordinated business practices and technology standardization - not
legislation and regulation.

http://www.state.ma.us/itd/legal

Statutes, Practices & the Market: ACCREDITATION

Public/Private/Global

Statute/Reg/Contract

- Health Care, Schools, Insurance, Labs, etc.

Market Driven, Multi-Tiered

- Openly arrived at results

- Broadly representative

- Voluntary, Self-Sustaining

- Accepted & Accessible

==== Comments on Slide ====

The development of a usable PKI will be best served by a competitive
market for PKI related products and services - and that should include
a competitive CA. A multi-CA market will require some quick, objective
way to determine whether a given certificate issued by a given CA is
sufficiently reliable under the circumstances. It is widely recognized
that private sector based accreditation of CAs can serve these and
other practice harmonizing goals. To be successful, accreditation
should serve the needs of the public and the private sector and should
be (eventually) capable of scaling up to global use. To the extent
statutes, regulations or private contracts need to reference the use of
a CA that meets certain minimum standards, reference should be made to
accreditation, rather than government license. There is significant
precedence for the legal recognition of private accreditation. Statutes
frequently will either give legal recognition of accreditation or, in
some cases, will provide that an organization (health care, insurance,
etc.) must be either licensed or accredited to do business in a
particular jurisdiction. The process of creating accreditation that in
fact affords sufficient information on which to base a judgment about
the reliability of a given certificate (and the CA that issued it) must
involve a broadly representative group of stakeholders. The process of
accreditation should be voluntary for CAs and it should be financially
self-sustaining. The results (the ratings of accredited CAs) must be
publicly accessible for any consumer or business who would seek to rely
on the accreditation (perhaps available in a machine readable and human
readable format). A closed system of accreditation would not be
consistent with promoting general electronic commerce. Widely accepted
accreditation can serve as the basis for technical cross-certification
among CAs as well. States are actively involved in initiatives to test
and create CA accreditation.

http://www.state.ma.us/itd/legal

"The Forums are the Thing"

* NASIRE, NASPO, NASC

* American Bar Association

* CommerceNet, Etc.

* U.S. Innovation Partnership (USIP)

- Web-Based Conference

- Multi-Jurisdictional

- State and Federal

- Statutes, Policy and Practice

==== Comments on Slide ====

It is important that the stakeholders, public and private sector, in
electronic commerce and PKI development focus on coordinating efforts.
On the state level, NASIRE, NASPO, and NASC (national organizations of
state governments) are working hard with the National Automated
Clearing House Association (a bank trade association) to facilitate the
creation of private sector based CA accreditation. Other organizations
are also attempting to provide forums for stakeholders to work together
on various legal, policy, business practice and technical issues. As
time goes on, it will be important to further coordinate the use of
these forums to ensure adequate information exchange and reduce
duplication and conflict. One important forum is the USIP, a
partnership between the National Governor�s Association and the White
House to foster collaboration between the states and the federal
government on national technology policy. The USIP is now working to
create a web-based conference application to provide an online forum
for discussion among stakeholders on many of these important questions.
The Commonwealth of Massachusetts looks forward to working with the
USIP to support their efforts at forging national partnerships for
technology policy.

Appendix A: Congressional Testimony

Statement of Daniel Greenwood, Deputy General Counsel For The
Information Technology Division Of The Commonwealth of Massachusetts
Before The Domestic and International Monetary Policy Subcommittee Of
The Committee on Banking and Financial Services Of The United States
House of Representatives. Transcripts available soon at www.house.gov.

July 9, 1997

Mr. Chairman, members of the Subcommittee, I appreciate the
opportunity to participate in this important hearing on a Federal Role
in Electronic Authentication. I am pleased to share the views on
legislation developed in the Commonwealth of Massachusetts based on our
experiences both using and promoting authentication techniques for
electronic commerce. As Deputy General Counsel for the Information
Technology Division (ITD) for the Commonwealth, I have had ample
occasion to focus on the ramifications of electronic commerce from a
legal, practice, and technology oriented perspective. The Commonwealth
of Massachusetts is home to several electronic commerce companies and
our state government is a robust user of electronic commerce
technology. In essence, the Commonwealth favors an incremental and
pro-market policy in legislation and regulation at this time.

Many people are questioning whether electronic signature law should
be enacted at the state level or preempted by federal law. The
Commonwealth believes that electronic signatures are relevant as a part
of broader electronic commerce policy and should be viewed in that
context rather than in isolation. The question is not one of state
versus federal law, but how each level of government should coordinate.
The law, policy and practice related to electronic commerce are too
important and pervasive to be under the sole jurisdiction or influence
of any single level or branch of government.

The Commonwealth is having a very positive experience using
electronic commerce to achieve cost savings and service quality
enhancements by making important state government transactions
available over the Internet for citizens and business. Citizens can use
a credit card over a secure Internet connection to renew their vehicle
registration, pay a citation and even to order a vanity license plate.
Vendors that do business with the Commonwealth can access official
requests for proposals over the state's web site and will be able to
submit bids in the future. Our most recent transaction allows banks to
conduct secure and authenticated Internet filings with the
Massachusetts Division of Banks. We believe the citizens would rather
be Online than in line when dealing with government. There are a number
of different information technologies that can be deployed for secure
electronic commerce and our policy has been to promote use of multiple
technologies and a competitive marketplace for electronic commerce
services and products.

It is unrealistic to assume that all conflicts can be preempted out
of existence. At the legislative, regulatory and policy levels,
governments will have to coordinate actions because electronic commerce
is multi-jurisdictional by nature. For instance, among state
governments and between the states and the federal government, it is
vital that a citizen or business dealing with the government not be
burdened with inconsistent or conflicting technical or legal
requirements. To this end, state and federal government must coordinate
policies on electronic filings, registrations, licensing and other
online transactions.

In the narrow but important area of public key cryptography, for
instance, Massachusetts is cooperating with several other lead states
and three national associations of state governments to accredit
certification authorities. This accreditation project is aimed at
producing consistent standards among states and other parties who would
purchase or rely on digital certificates of identity in electronic
commerce. This project serves as a market driven but coordinated
approach to protect certification authorities from conflicting
requirements by different governments and other large users. A wide
array of private sector electronic commerce partners and the federal
government have been part of the planning of this pilot. Such efforts
can be far more fruitful than legislation for the purpose of
accelerating electronic commerce by working out practical obstacles.

Important though it may be, perhaps too much emphasis has been paid
to the role of Government as law maker. An initial, and probably
counterproductive, assumption is often made that the lack of a
comprehensive statutory and regulatory framework is holding back
electronic commerce. The Administration of Governor William Weld has
found consistently over the past six years that restraining the
government impulse to regulate private enterprise results in more, not
less, economic activity. The Weld Administration has recently concluded
an unprecedented phaseout of antiquated or overly burdensome regulation
throughout every corner of the state bureaucracy. Particularly in an
area as dynamic and fast growing as the information technology economy,
government at all levels must temper the regulatory urge with a healthy
respect for the power of markets to develop the least costly, highest
quality most efficient technical, business and contractual solutions.
Government remains, of course, a player in the online market by virtue
of consumer power and transactional standards setting. However, the
electronic commerce market will not be regulated or legislated into
existence, but it will emerge as a result of supply and demand. As the
market develops, legislation or regulation can be crafted to deal
specifically with market failures that may emerge with respect to
consumers, corporate market needs, criminality and other public
concerns. To attempt to legislate solutions to problems that have
largely not yet happened in a market that is still not fully formed
risks harmful market distortions and other unintended consequences.

It is clear, however, that certain legislative reforms will be
needed to remove legal obstacles from the path of private sector
parties who use electronic commerce as part of their business. Some
legal reforms are largely under the jurisdictions of the states. For
instance, the law of contracts has traditionally been a matter for
state law. Similarly, the specific question of electronic
authentication often boils down to an issue of evidence. This is an
issue of proof of the identity of a party to a transaction or other
online activity. To the extent these matters are tried in state courts
applying state rules of evidence, this too is a matter of state law.
Just one month ago, in the case of DOHERTY v. REGISTRY OF MOTOR
VEHICLES, a Massachusetts district court ruled that an e-mail message
qualified as a writing signed under the pains of perjury. State courts
have, for centuries, proven to be quite capable of adjudicating
commercial disputes between parties from multiple jurisdictions and
dealing with technological advances. Concerns over state government
competence to continue in this field are not called for. In fact,
states are often better suited to produce innovative, responsive and
accountable policy models than the federal government.

In recognition of the novel issues raised by electronic transactions
generally (including authentication issues) the states are in the
process of drafting uniform state law governing electronic contracts,
licenses and other private transactions. The uniform law drafting
process affords an open, deliberate process that is necessary to arrive
at sound, informed legislation in this area. However, while uniform law
drafting proceeds, some legal reforms may be ripe for action in the
mean time. For instance, the Massachusetts General Laws provide some
4,515 separate references to documents that must be in writing and/or
signed. Some laws require writings "on paper" and signatures "in ink."
These laws are strewn throughout the laws and regulations of states and
the federal government. Such "quill pen" laws, in many cases, hale from
an industrial age (and occasionally from agrarian times) and serve as
antiquated senseless impediments to electronic commerce. The repeal or
reform of such laws should be undertaken in a coordinated and
consistent fashion at all levels of government. Similarly, federal and
state tax policy should be tailored to promote electronic commerce and
existing or contemplated regulation of electronic commerce should be
seriously reconsidered in light of the importance of market driven
solutions and robust competition in this field.

The Commonwealth of Massachusetts has proposed the creation of an
online, web-based conference area to facilitate communication between
and among states and the federal government regarding electronic
signature and authentication legislation, regulation and policy. We are
pleased to work with the newly formed United States Innovation
Partnership on this project. The USIP is a joint effort of the National
Governors Association, the White House Office of Science and Technology
Policy and the Secretary of the U.S. Department of Commerce. When this
web site is operational, we will be happy to inform the Subcommittee of
the http address. The Commonwealth has also drafted a survey to collect
and share views on the proper balance between state, federal and
international law for electronic signatures. This survey has been
published on the Internet, in the BNA, and other periodicals and
results are still coming in. When the results are complete, we will
forward a report to the Subcommittee for your information.

There are many opportunities for state and federal law to form a
consistent legal framework in support of the emerging information
society. Needed international coordination will have to be spearheaded
by the federal government. Such issues as export, copyright, patent,
federal tax and federal procurement will also have an important impact.
Areas such as uniform commercial law, general contract law and state
rules of evidence, on the other hand, will need to be carefully evolved
by the states in light of federal and international electronic commerce
policy. On a going forward basis, more forums and opportunities for
communication between levels of government are needed to avoid the
crafting of inconsistent policy or misunderstandings about the roles of
each stakeholder.

Mr. Chairman, thank you for the opportunity to testify today. If the
Subcommittee would like deeper background on these matters, I would
encourage you to visit the ITD web site, available at
www.state.ma.us/itd/legal. As you continue to work on these important
issues, the Commonwealth would be honored to provide the Subcommittee
with assistance in the future. I would be pleased to answer any
questions the Subcommittee may have at this time.

Appendix B: The Virtual State House

MASSACHUSETTS INSTITUTE OF TECHNOLOGY, Cambridge, MA

Fall 1997

The Virtual State House. Course 4.182, Department of Architecture.
This course is co-taught by Dan Greenwood and William J. Mitchell, Dean
of the School of Architecture and Planning, MIT. The course explores
the policy and legal issues that arise when online information
technologies are put to public and community uses. Special emphasis is
paid to 3D virtual reality systems that allow real-time multi-user
collaboration over the Internet. The students cooperate to design and
build a working virtual state house to demonstrate the problems and
prospects for online government in the future. The virtual state house
allows users to conduct electronic commerce, view or interact with
public records, and engage in participatory democracy.

Appendix C: Survey on Legislation (compilation still ongoing)

(available at www.state.ma.us/itd/legal)

[In addition to the survey reprinted below, the Commonwealth of
Massachusetts is also conducting a large-scale survey of electronic
contracting practices - including inquiry into current electronic
records management practices, how parties manifest assent (electronic
signatures? Clicking "I Accept" etc.) and other important practices.
Co-sponsors include CommerceNet and the American Bar Association�s
Electronic Contracting Practices Work Group of the Committee on the Law
of Commerce in Cyberspace. The final "best practices" document
resulting from this survey will be made a public record on the
Commonwealth�s web site.]

Survey: As many of you are no doubt aware, there has been talk
lately of federal digital or electronic signature legislation. Under
the supremacy clause of the Constitution (and perhaps other clauses)
such legislation would preempt state law. A number of state laws
already exist and the National Conference of Commissioners on Uniform
State Law is also working in this general area. However, a desire for
the benefits of quick, national uniform treatment of this field have
prompted renewed interest in federal law. I would like to poll each of
you on the following four questions:

1. Should electronic and/or digital signature laws:

a. remain exclusively as state legislation (why?)

b. become totally preempted by federal legislation (why?)

c. be governed by both state and federal legislation (if so, who governs what?)

2. What coordination of legal framework is needed at an international level?

3. Is the current trend in state legislation creating an
insufficiently coordinated legal environment for electronic commerce?
If so, please indicate where the problems exist. If not, indicate why
different types of existing and pending state electronic signature laws
do not significantly impede electronic commerce.

4. Why, if at all, are electronic or digital signature laws needed?
What problems do such legislation solve? What would be the result if no
such legislation existed?

* May we publish your remarks on the Commonwealth of Massachusetts web site (if so, would you like attribution or anonymity)?

Please feel free to answer in short blurbs, or to go into more
depth. Thank you in advance for your thoughts on this matter. Please
send responses to dgreenwood@state.ma.us

The Chief Information Officer has established the On-Line Government
Task Force to chart the immediate future course of online government in
the Commonwealth of Massachusetts. On or about August 30, 1997, the
Task Force shall report to the CIO on:

a) the Commonwealth�s operational needs for online government functions;

b) the legal and policy requirements for such functions, with particular emphasis on the need for authentication, integrity,

confidentiality, and non-repudiability;

c) currently available and near-term technologies performing such functions;

d) central services that could promote the growth of online government;

e) the state of current technical and legal efforts in the
Commonwealth, other states, the federal government, and other
countries;

f) specific technical and legal information that could support agencies that are implementing or evaluating online

The Task Force should explicitly identify the Commonwealth�s range
of operations that could be performed better or more efficiently using
online technologies. The Task Force should identify online government
projects that are being implemented now and are planned or desired in
the short term by agencies. The Task Force should identify and
categorize the types of government functions that are ripe for
networked automation. The scope should extend to both Internet and
intranet communications.

3. Legal and Policy Requirements for Online Government

The Task Force should identify and categorize the functionality
needed for online government functions to comply with business, legal,
and policy requirements. Specifically, the Task Force should evaluate
requirements for authenticity, integrity, confidentiality, and
non-repudiability of network communications, with particular emphasis
on the suitability of PKI technologies.

4. Current Technology

The Task Force should assess the current and near-term state of the
technology available to meet the business, legal, and policy needs of
the Commonwealth. This includes testing or demonstrating relevant
technology. This effort should result in a narrative and/or a matrix
that represents a thorough evaluation of current offerings by PKI and
other vendors, as well as an assessment of the strengths and weaknesses
of these solutions.

5. Central Services for Promoting Online Government

Given the business, legal, and policy requirements, and the
technologies available to meet them, the Task Force should identify key
central services, particularly PKI services, that would promote the use
of online technologies by state agencies.

6. Standards and Guidance for Agencies

The Task Force should develop specific standards and guidance for
agencies that wish to implement online government solutions. The
emphasis should be on concrete, practical advice that can materially
assist agencies that have advanced to the point of implementing an
online government operation. In addition to this specific guidance, the
Task Force should also develop information and advice for agencies that
wish to evaluate the benefits of online technologies. This and/or other
material should also serve to give agency management the information
they need to appreciate and support online technologies.

7. Pilot Projects

As a result of identifying business needs, legal and policy
requirements, available technologies, and the appropriate central role
for the state, the Task Force should propose suitable candidates for
pilot projects for evaluating online government solutions.

8. Members of the PKI Task Force

Membership in the task force is open to any public entity in the
Commonwealth. Anyone interested in joining the task force or receiving
more information should contact Task Force Chairman Dan Greenwood at
dgreenwood@state.ma.us or 617.973.0071.

Appendix E:Digital Signature Mock Trial

(planned for fall, 1997)

The Commonwealth of Massachusetts Information Technology Division
Legal Department will sponsor a mock trial based on a dispute over a
digitally signed communication. This will be an online event, probably
web-based. There will also be a half-day "court room" mock trial to be
held in Boston in the fall. Anyone interested in helping to plan, or
participate in one or both of these mock trials should contact Dan
Greenwood at dgreenwood@state.ma.us.

The purpose of this exercise will be to explore legal ramifications
of deploying digital signature technology as a business tool,
including: what grounds for a claim (consumer law, financial and
banking law, common law, other?); what issues arise relative to
preserving certain evidence for trial; the legal relationship between
an "owner" (subscriber) of a digital signature, a relying party and a
certification authority; what other evidentiary admissibility issues
arise, how might certain contract terms be interpreted (i.e.: what
arguments might be raised related to liability limitations, rights and
duties under contract); etc. The case will be tried in a fictional
jurisdiction and to fictional parties.

The specific factual pattern (i.e.: who are the parties and what
happened to them) will be developed so as to highlight areas of legal
uncertainty and maximize the instructional value of this exercise. It
is expected that this exercise will assist the Commonwealth of
Massachusetts and other interested parties to more efficiently manage
liability and to better anticipate legal issues as we look to deploy
public key based network solutions.

----

Digital Signature Online Mock Trial

Participation Form

How would you like to participate in the virtual digital signature
mock trial? At this time, there it is still possible to participate in
any of the roles listed below, please let me know what positions you
are interested in pursuing (if you are interested in more than one from
a category, please indicate order of preference). Send your reply to
dgreenwood@state.ma.us.

Category A. Trial Participants.

I want to:

1. be a lawyer

2. be a party and a witness

3. be an expert witness

4. be a judge

5. be a juror

Category B. Coordinators/Organizers.

I want to:

1. write part of the fact pattern for this case and review other parts

2. create or advice on the technical design look/feel/functionality/security of the web site

3. moderate or otherwise administer access to the web-based trial site

Though the fact pattern is not yet determined, our thought is to
design facts under which none of the parties are at fault, yet there
has been a loss due to either theft or unknown causes. Though the focus
will be on the issues specific to digital signatures, we expect that
some electronic contracting issues will also be raised. We also expect
that all evidence of the transaction will be in electronic form
(including relevant sections of contracts, server logs, correspondence
and other transaction records). It is expected that the trial system
will be made into two sites. One site will be closed to the trial teams
for participation, but open for viewing by the world (virtual open
court). The other site will be totally open for read/write access for
anyone to join the discussion about the mock trial as it is unfolding.

Again, thank you for your interest in this project. We look forward
to working with you to make this a useful and educational experience
for us all.

Appendix F: The PKI Page!

(an online PKI information resource - also available at www.state.ma.us/itd/legal)

* The Purpose of the PKI Page

* Standard, Policy and Practice Related PKI Links

* Certification Authorities and Vendors

* Industry and Trade Groups

* National and International PKI Government Activity

* State Government Initiatives

* Academic Treatment of Information Infrastructure Issues

* Feedback

The purpose of the PKI page

This page exists to provide an information bank for people who wish
to use the evolving public key infrastructure as a tool for securing
net-based communications and transactions. There is a large amount of
information available on the Internet, which the page will link to
where appropriate. However, there are a large number of issues that are
still emerging that will also be tackled here. Feel free to send along
any PKI-related information, such as: news, product announcements,
papers, web addresses and any other information that you think people
interested in PKI would like to see. Enjoy!

NOTE: The forward specifically relates to a program held by
Massachusetts Continuing Legal Education. The program, "Health Care and
Information Technology" was held January 15, 1997. Some information is
now dated.

Forward

The following article deals generally with legal aspects of
electronic signatures and writings. Though the article is not
specifically tailored to medical systems, the information is quite
relevant to the field of health care and the topics under consideration
for this Massachusetts Continuing Legal Education program. The document
is a draft of an article that will be published in the National Law
Journal. It should be noted that, while I am an attorney for the
Commonwealth of Massachusetts and reference is made throughout this
article to legal and policy matters involving the Commonwealth, I
submit this work in my personal capacity and nothing herein necessarily
represents the views, positions or any official comment by the
Commonwealth.

Information technology can be a powerful enabling tool for health
care. According to the Chicago Tribune, a 21-year-old student in China
fell into a coma due to a mysterious illness. The finest doctors in
Beijing were unable to diagnose or treat her, and her condition was
fast deteriorating. Her friends sent a desperate plea for help over the
Internet, describing her symptoms and requesting assistance. Some 2,000
doctors and researchers in 18 countries replied to the message, and
from those responses the illness' cause was established. The young
student's life was saved as a result of that use of the Internet. This
dramatic example illustrates the previously impossible communications
made simple, inexpensive and commonly accessible through use of
networked computer.

An early Clinton Administration health security proposal suggested
the following benefits from a national health information
infrastructure:

1. clear and useful consumer information

2. health status measures

3. health care system monitoring and evaluation

4. linking health record information to improve patient care

5. cost effective, streamlined administration, and

6. identification of fraudulent activities

Commentators have noted that the benefits of networked health
care information outweigh the risks to privacy. Though providing for
adequate information security protections can involve significant
investments, the cost savings to be had from widespread use of new
communications technologies are staggering. For instance, switching to
electronic data interchange (EDI) would yield a billions of dollars in
savings annually. The current paper based system is ill suited to
health care in both form and function. The Government Accounting Office
estimates that the 34 million hospital admissions and 1.2 billion
physicians visits each year generate the equivalent of 10 billion pages
of medical records.

Evidently, not only is medical data voluminous, but it is also
poorly organized - sometimes inaccessible when needed and existing in
several different locations, though associated with a single patient,
perhaps even a single episode. In addition to administrative and cost
savings, networked computing presents conspicuous advantages in quality
of care and research directly advance the core mission of health care.
The benefits of electronic information systems include accessible and
comprehensive patient records, networked consultations without regard
to geography, ease of treatment tracking and instant availability of
critical clinical and research data capable of being queried, stored
and cross-indexed to a patients file.

Several leading organizations in the field of medicine have
publicly advocated for moving toward integration of information
technologies into health care systems, including the American Hospital
Association and the Institute of Medicine's Committee on Regional
Health Data Networks. It is only a matter of time before ubiquitously
networked computer systems allow for spontaneous, secure, authenticated
and confidential transactions around the world. The cost and quality
efficiencies of such an Information Infrastructure promise untold
benefits in all sectors of the economy and society. As this transition
hastens, attorneys will increasingly be asked for advice about the
legal consequences of creating, receiving, transmitting, destroying and
converting to electronic records. The role of electronic signatures,
network security, and the contracts and licenses associated with
digital systems and services will play a key role in the practice of
modern law. The field of health care, with its special concern for
confidentiality and literally life and death reliance on the accuracy
and timeliness of information presents the strongest challenge and the
greatest opportunities for adoption of emerging information technology.
Legal and policy infrastructure supporting computer networks will be
vital to the success of this transition.

Introduction

The world is changing and the lawyers must change with it. A
digital revolution has begun. The wide-scale transition from
traditional forms of writing and communication is creating uncertainty
in commerce, health care, government and all social and economic
sectors. Specifically, records are increasingly created, transmitted
and stored in electronic media and parties are using computer networks
to access and communicate information with other parties. What is the
legal status of an electronic signature? Are electronic records the
legal equivalent of paper writings? It is clear that such uses of
electronic data are saving enormous administrative and other
transactional costs. The ability to access information in digital form
is also creating qualitative cultural and economic improvements by
allowing world-wide networked publishing, trade, education and
interactive collaborations. However, the legal implications of these
changes will require attorneys to adapt to new vocabularies and ways of
thinking. This article will explore issues surrounding the use of
electronic signatures and writings in the context of information
security and the law.

What Is a Digital Signature?

A digital signature allows a party to send a secure message over an
open, otherwise non-secure computer network. The phrase digital
signature is a term of art. A digital signature is not based on an
actual hand signed image, rather it is based on a complex mathematical
formula that allows networked communications to be authenticated,
confidential and non-repudiable. Though the technology is involved, it
is helpful that lawyers have at least a passing understanding of the
underlying content of digital signatures. There are two basic technical
processes that combine to make a digital signature. The first function
is known as "public key encryption." The second function is called a
"hash." Encryption is simply the process by which information is
scrambled by use of a code.

Military communications have relied on more or less advanced methods
of encryption for thousands of years. In fact, Alexander the Great
communicated with his generals by sending messages in which each letter
was shifted a certain number of positions (a two position shift
replaces every "a" with a "c", every "b" with a "d", and so on). This
was a form of "secret key encryption" - because anyone who knew the
secret code could send and receive messages securely. Today,
commercially available encryption software creates encryption so strong
that it is all but impossible to break the code and ascertain the
original message without the use of the authorized software.

Public Key Cryptography

Unfortunately, a secret key system requires the sender to transmit
the code to the receiver in a safe manner - not allowing the code to
fall into unauthorized hands - because anyone with the secret code can
read all messages sent. Since the Internet is very vulnerable to
message interception, it becomes impractical to deliver the secret code
to message recipients. Enter: Public Key Cryptography. With this type
of encryption, information that is encrypted with one key from a given
pair can only be decrypted by the other key. This is similar to the old
"secret decoder rings" found in boxes of Cracker Jacks. Users of this
system would keep their private key very safe (perhaps password
protected or even embedded in a smartcard or other hardware device) but
they would make their public key freely available, by sending it to all
potential recipients of messages or posting it to an Internet public
key directory. In this way, the private key holder can send a message
to anyone on the Internet, and, if his public key decrypts the message,
the recipient knows it must have come from the private key holder.
Conversely, anyone on the Internet that wants to send the private key
holder a message can encrypt the message with his public key (again,
the public key is freely available) and send the message with the
knowledge that only the private key holder can read the encrypted text.

For example, if you receive a message from John Smith, and you use
Smith�s public key to successfully unencrypt the message, you know, to
an extremely high degree of certainty, that Smith, and not an impostor,
wrote the message. The message could only have been created by
someone with Smith�s private key, and presumably the only person with
Smith�s private key is Smith. This can be seen as the equivalent of a
signature on the data sent by Smith - a so-called "digital signature."

Hash Functions and Message Digests

A "hash function" is a process that creates a relatively small
number that represents a much larger amount of electronic data. For
instance, if I had a ten page word processing document on my computer
hard drive, I could use special hashing software to derive a particular
number associated with that document. If even one comma were changed on
the document, the resulting hash number from the changed document would
be completely different. This number is called the "message digest."
Digital signatures use a "one way hash function" - that means there is
no way to reverse engineer or derive the content of the message based
on the resulting message digest. When you send a digest along with a
message, the recipient can check to see if the message has been
tampered with by using the same hashing software to make her own digest
of the message and then checking to see if the two numbers match. If
the digest number sent with the message matches the digest created by
the recipient, then she know that the message is exactly the same as
when it was sent.

To achieve a digital signature, the sender's software creates a
message digest and then encrypts that number with the sender's private
key. This "encrypted digest" is then sent along with the text of the
message. That way, the recipient can determine both who the message
came from and that the content has not been tampered with just by
decrypting the digest and checking to see that it matches the digest of
the message she received.

The entire message could also be encrypted, but that would only be
done to achieve confidentiality of the message. If the sender merely
wants to sign a message, only the digest needs to be encrypted. This is
important because it is significantly quicker to send a receive
messages that are not encrypted. The technology is developing to give
users a choice when a message is sent: you can "sign" the message or
"sign and encrypt" the entire message. Remember, it will cost
additional delays and computer resources to use encryption for
confidentiality as well as signatures, so think about when you want to
use each. This system, however, will not require any technical
expertise among users above that required to use a word processor. The
process will be nearly "transparent" to the end user. All that will be
required is a few clicks of the mouse to sign or encrypt messages and
to accept and review the signed messages sent to the user.

Certification Authorities

The issue, legally, is to bind the identity of a particular party
to a particular public key. This need has been widely perceived in the
marketplace and several companies are stepping into the so-called
"trusted third party" business. Such a company is known as a
certification authority (C/A). The C/A will issue a certificate that
identifies the person associated with a given public key (the
"subscriber"). The C/A is responsible for undertaking certain measures
to ascertain the identity of the person to whom it issues a
certificate. The market appears to be evolving toward tiered levels of
certificates. Relatively inexpensive certificates may only represent an
attestation by the C/A that the subscriber presented a notarized letter
indicating her identity through the U.S. mail. More expensive
certificates might be issued based on more stringent measures by the
C/A, such as requiring the subscriber to physically show up at a
location and present multiple forms of photo identifications and so on.

When the subscriber wishes to use her private key to sign a record,
she would send a certificate, issued by a C/A along with the
transmission. That way, the relying party who receives the transmission
can independently verify the identity of the subscriber by reference to
the C/A's online database of valid certificates and revoked
certificates. A subscriber would have a responsibility to notify the
C/A if she discovers that her private key has been lost or compromised.
In this case, the C/A would post this information to a Certificate
Revocation List. Prudent persons would check such a list before relying
on a given certificate. Banks, the U.S. Post Office, and several other
large and small entities are positioning to become C/As.

In a sense, the entire public key system is built on two deep fault
lines. First, the private key of the subscriber must remain secure. If
the private key is stolen or used without authorization, the whole
system falls. Secondly, there must be a trusted third party to the
transaction. Without this certification, again, the system falls. The
recipient must have objective grounds for confidence that the public
key which "unlocks" the signature, leading to the critical elements of
authenticity and message integrity, is associated with Smith. Without
this assurance, the fact that a public key unlocks a message encrypted
with a private key has no meaning other than that the two keys are
mathematically related. Today, there is a serious debate about what
policies and practices C/As should use. It is clear that this system
requires some common understanding among C/As and the user population
regarding uniform levels of authentication of the subscribers. There
are multiple views about what, if any, laws are called for at present
to further define, and perhaps limit, the rights and liabilities of
C/As, subscribers and relying parties who use this system.

The Commonwealth of Massachusetts has assumed a leadership position
among states with regard to the creation of a public key
infrastructure. The Commonwealth is working with several national
organizations of state government officials to bring together the
fledgling C/A industry for the purpose of discussing more coordinated,
predictable and uniform business practices and standards. There must be
an objective method, such as accepted standards, accreditation or
licensing whereby consumers, government and business can identify which
C/As will be worthy of trust. The elements of a trustworthy C/A extend
to very technical specification as well as to business practices.
Ideally, voluntary, testable, widely recognized industry standards will
develop, rather than more rigid government conceived promulgations. The
Commonwealth is also actively involved with joint federal and state
efforts to coordinate electronic commerce policies on a national level.
In addition to policy work, the Commonwealth is gaining practical
experience with this technology as a business tool. The Registry of
Motor Vehicles web site now uses point to point encryption over the
Internet to allow confidential transmission of credit card transactions
to renew vehicle registration, pay citations and even order vanity
license plates. The Division of Banks is about to begin a pilot using
digital certificates to enable banks to file authenticated documents
over the state�s Internet web site. The Information Technology Division
makes information available about Commonwealth secure Internet
initiatives at <www.state.ma.us/itd/legal>.

The Difference Between Electronic Signatures and Digital Signatures

An electronic signature is, simply, any symbol or method executed
or adopted by a party with present intention to be bound by or to
authenticate a record, accomplished by electronic means. An electronic
signature may be created be any electronic means. For instance, a
sophisticated bio-metric device, such as a fingerprint computer
recognition system could qualify as an electronic signature, and so
would the simple entry of a typed name at the end of an e-mail message.
The principle is that the symbol or method was executed or adopted by
the signer with a present intent to sign the record. This
definition focuses on the traditional legal purposes of a signature,
not the particular medium or manner chosen to accomplish the signature.
By contrast, a digital signature refers to a particular implementation
of public key cryptography.

A digital signature can be defined to mean a transformation of a
record using an asymmetric cryptosystem and a hash function such that a
person having the initial record and the signer's public key can
accurately determine: (a) whether the transformation was created using
the private key that corresponds to the signer's public key; and (b)
whether the initial record has been altered since the transformation
was made. In other words, a digital signature is created by use of a
public key system, but an electronic signature includes broadly any
computer method, including, but not limited to, public key systems.
Digital signatures are technology specific. Electronic signatures are
technology neutral.

The use of low security electronic signatures, such as simply
typing one's name on an e-mail, raises serious questions of proof
regarding the authenticity of such a signature. However, there are
times when low or no levels of security are warranted. A given
transaction or message may be informal, of little or no value nor
otherwise reasonably likely to form the basis of subsequent dispute.
For instance, it is common practice to conclude purely social e-mail
messages with the typing of the sender's name. In this case, the name
would be a symbol intended to authenticate the document, but not
necessarily manifesting an intent to be bound by the content - assuming
there exists any particular content at all. In this context, the word
"authenticate" means merely an intent to represent that the signer was
the sender. In common parlance, e-mail among friends and close
colleagues is often concluded with the initials of the sender alone.
For more formal, but low risk, electronic transactions, a more robust
signature system may be desirable. This does not necessarily mean a
full fledged public key solution is required. For example, some
business and professional online services require a user name and
password to access their system. Once a user is on the system, they may
be entitled to additional information or services, such as online
dialogue with an expert or authorization to view value-added
proprietary documents. Here, the electronic signature is created by use
of a user name and password, probably relying on access control
technology far less expensive and simpler to use than public key
cryptosystems. The use of this system may (depending on the
understanding of the parties as evidenced by contracts, disclaimers or
other conditions of use) authenticate the user and also impliedly, or
perhaps expressly, express an intent to be bound by billing rates or
other terms.

Digital Certificates

As mentioned earlier, digital signatures, when properly
implemented, provide an extremely high degree of confidence that a
message originated from the person or entity it purports to come from
and that the message was not altered. In addition, the current
implementation of this technology relies on particular digital
certificates that comply with internationally recognized standards.
This current standard, known as X.509v3, provides for the inclusion of
several data fields that specify the name of the private key holder
(the subscriber), the name of the issuing certification authority, the
period during which the certificate is valid and a copy of the
subscriber's relevant public key.

This current version of this standard is particularly exciting for
legal and policy reasons because it also allows for a number of
so-called "certificate extensions" - that is, data fields with no
predetermined use. These open fields can be used to further customize a
certificate for a given industry or individual use. Additional fields
might designate a reasonable monetary reliance limit to be associated
with a given certificate, or some indication of the signer's
authorization limits. Unlike a traditional pen and ink signature, a
digital signature with a customized certificate could denote, in
detail, the types of transactions a given employee is authorized to
enter or the role a signer is playing within a company. For instance,
Mr. Gates may use one private key to buy low dollar items on the
Internet for his personal use or to sign his weekly time sheets (hey -
its possible). He might keep this key on his desktop hard drive and
protect it with a password. However, to sign important high dollar
deals Mr. Gates may chose to use a different key, denoting him as the
CEO who is authorized to bind his company. This key may be protected
with a more expensive and more trustworthy system, perhaps including
smart cards or biometric devices.

Technical Capabilities and Legal Judgments

The role of attorneys in assessing the adequacy of a digital
signature, particularly in a jurisdiction without detailed digital
signature legislation, will involve a special evaluation and
recommendation process. More so than most other fields of legal
practice, information technology issues will form the basis of
unfamiliar, dynamic and complex facts and circumstances for most
lawyers. The technology is, by nature, fast evolving and very
complicated. Even if you have a computer science degree, you will have
to take additional time making sure you understand the basics of
current and future technological systems. However, lawyers do not need
computer science degrees to render sound legal advice to clients
seeking guidance in these matters. In the context of electronic
signatures, and the probable commercial uses to which they will be put,
there are a relatively few key concepts that can be used to assure an
accurate "big picture" view of particular technologies.

There are an increasing number of technologies being developed that
would provide for varying levels of security over open networks.
Clients will look to attorneys and others for guidance about the
appropriate level of security for a given line of electronic business
or other transactions. Of course, the average attorney will not be
expected to render technical judgments about the information technology
investments their clients make. Very technical analysis can be involved
in making such selections, such as interoperability with existing
information technology systems, costs to administer, trends in the
industry and so on. However, it is going to be very important for
attorneys to cooperate closely with business and technical people in
the procurement and deployment of certain computer security systems
generally, and systems that require electronic signatures specifically.
The legal consequences that flow from the presence or absence of
particular elements of data security will constitute risks, liabilities
and other potential costs that should be taken into account from the
beginning. Similarly, relatively small changes to the purchase, or
implementation, of a large electronic system can drastically improve a
clients position should the system ever be implicated in or form the
basis of a dispute, or formal adjudication.

A full discussion of network security would necessarily include
exploration of disaster recovery systems, physical security, audit
trails, security policies, procedures, training and so on. Leaving
aside, for purposes of this article, these important but more general
issues of network and systems security, lawyers should pay special
attention to five basic legal and technical elements when assessing a
given electronic signature or other network security system. Security,
in this context, consists of: authentication, access control,
confidentiality, message integrity and non-repudiation. These are the
terms of art that will form an important part of every lawyers thinking
and advice in the field of information technology law for years to
come. Each one of these terms has a specific technical meaning and
distinct legal and policy implications. Here is a very general
description of each term:

Authentication: This is achieved by ascertaining the identities of parties to a message or transaction.

Access Control: This means that information, and other network resources, are available only to authorized parties.

Confidentiality: This is achieved by keeping the contents of a message or substance of a transaction secret to unauthorized parties.

Message Integrity: This is achieved by ascertaining
that a message or other transmission has not been tampered with in
transit over a computer network, i.e., it is accurate.

Non-Repudiation: This means that evidence exists tying
the identity of a party to the substance of a message or transaction at
a certain point in time and the evidence is sufficiently strong to
prevent or rebut that party's subsequent denial of same.

As lawyers, we will increasingly be called upon to develop a legal
analysis involving one or more of the above concepts. These technical
terms are cropping up in a host of every-day situations. For instance,
as more medical records are made available to treating physicians over
multi-hospital computer networks and even over the Internet, it is
vital that the confidentiality of those records is maintained.
Similarly, whenever a credit card number and expiration date are
transmitted, that information should be kept confidential both in the
merchants computer system and while in transit over the network.
Assurance of message integrity is necessary to prove the contents of a
contract agreed to by means of electronic commerce. One seeking to
prove a contract will want to show that every clause, word and
character in such a contract was received accurately - exactly as it
was transmitted.

Access control can prevent unauthorized users from availing
themselves of certain non-confidential, but valuable network resources,
such as computationally demanding analysis programs or scarce
communications bandwidth. In addition, access control measures can stop
unauthorized users from viewing, deleting or otherwise manipulating
sensitive data. For instance, a bank might wish to post current
interest rates on an Internet web site. This information is not
confidential, in fact, it is widely publicized, but the bank will
require assurance that individuals from the general public who are
viewing that information can not manipulate the data and change the
posted interest rates.

The concepts of authentication and non-repudiation are particularly
important. In order to separate "authorized" users of information from
"unauthorized" users, there must be some reliable way to ascertain the
identity of the user. The Internet was not designed with adequate
technical means to achieve this identification. In fact, without the
existence of more robust security measures. it is quite easy to "spoof"
the identity of another person on the Internet. The apparent origin and
return address on an e-mail message, for instance, is quite subject to
impersonation. There are several means, not involving cryptography, to
achieve authentication, including by use of a password or PIN, a
hardware device (perhaps as simple as an inexpensive thin plastic card
with a unique magnetic strip), voice recognition, and many other
methods. Authentication information can be used as the basis for other
programs that control access or save the authentication data in order
to forestall subsequent attempts to repudiate transmission or receipt
of a message or transaction.

Finally, though related, the elements of non-repudiation should not
be confused with the legal notion of contract "repudiation."
Non-repudiation should be thought of as sufficient technical evidence
that a particular party submitted or received a particular
transmission. Some state statutes are creating evidentiary rebuttable
presumptions that a transmission was submitted or received by a
particular party under specified technical circumstances, such as when
a digital signature is used. The emerging legislative trend, however,
seems to be more technology neutral. Under this approach, proof that a
"secure system," (defined to include the basic elements of a
trustworthy system) was used to generate and transmit the signature
will create a rebuttable presumption that the signature is authentic.
However, it is helpful to remember that achieving non-repudiation does
not necessarily mean that a party will be bound by an obligation or
that a given contract will be enforceable. The laws of contract will,
of course, still operate to allow defenses to enforcement and to rebut
contract formation based on incapacity, mistake, illegality and so on.
Courts will continue to look to whether substantial performance has
been rendered and other legal requirements met. However, the technical
elements of non-repudiation operate to form a solid business and legal
foundation on which to build reliable communications.

It may be helpful, when presented with a request for legal advice
based on a client's planned or present use of a secure network system,
to run through each of the five elements listed above with the client,
or technical person making the presentation. Based on the answers, you
should be able to determine which, if any, of the five elements is
present, and to what degree. For instance, if, upon inquiry, you
determine that there is a method for authentication, but no way to
assure non-repudiation, then business functions that require billing or
creation of other obligations should be questioned. For example, if the
computer server merely authenticates the identity of a party upon entry
into the system for access control purposes, but then either deletes,
over-writes or fails to save that information, then potentially
valuable data to prove non-repudiation is being lost. It may be
fruitful to discuss whether there is a way to archive the
authentication data in a secure way that would allow it to be entered
into evidence should a formal adjudication ever result. The client
could consider any number of process' that would allow you, or the
trial attorney, to lay a proper foundation for introduction of the
authentication information.

Basic issues to consider include proof of the following: the
reliability of the hardware and software used; the accuracy of data
entered; the integrity of stored records; and; the reliability of the
process whereby records are retrieved for the court in perceivable
form. However, for the non-repudiation element in particular, you
should contemplate how the system will support the admissibility and
weight of evidence that a particular party sent a message or engaged in
a transaction. For instance, think about how the system ensures that
the disputed information is identified with the party (was a password
given to the signer and was there an agreement about keeping the
password safe?) and that unauthorized persons did not have the
opportunity to create the or manipulate the information after the
transaction (does the server have limited physical and software access
- what other procedures are in place to prevent unauthorized access?).
These facts will assist in laying a proper foundation and proffering
persuasive evidence.

Information Security: How Much is the Right Amount?

It will be some time before digital signature technology is
pervasively used, and it is entirely possible that it will remain
merely one of several technologies for information security. Given
current growth rates, it is clear that, in the meantime, every area of
the economy will increase use of computer networks secured by other
technologies. Information security technology and related costs of
business process can absorb inordinate amounts of available resources,
unless carefully managed. A modern trend in legal analysis of such
systems requires a balancing test. Specifically, an attorney should ask
whether the reliability of the method used to create, store, and
communicate the signature or electronic record was appropriate for the
purposes for which it was created and transmitted. A broad range or
financial, legal and other relevant factors should be considered and
balanced when determining the advisability of a given network security
or signature system.

As a general observation, it seems that many attorneys and other
professional initially expect near perfect information security systems
to be in place when a process shift from paper to electronic medium is
contemplated. While it is true that some vulnerabilities to the
information increase when it is converted to electronic form (ranging
from a simple power surge, to a malicious virus), in many, possibly
most, situations, the digital information is actually more secure.
Relatively small information security precautions can render the same
information far safer when in electronic form. One should be wary of
unreasonable expectations or demands for near 100% security from every
conceivable threat just because information is to be maintained in
electronic rather than paper form. A more appropriate, if general,
benchmark is to ask whether the electronic system affords approximately
the same or better security than analogous paper systems. This type of
analysis should deliberately balance the costs of various security
systems against the risks of security breach in light of the entire
enterprise. Of course, some functions will require extremely high
degrees of security. Typically, such a security system commands
significant financial and personnel resources to create and maintain.
Determining the right level of information security should be the
result of searching analysis of the business, legal and other demands
on the enterprise.

Information Security Benefits of Digital Signature Technology

Based on the description of public key cryptography earlier in this
article, it is possible to define precisely how it is so well suited to
meet each of the five postulated elements of network security. When the
recipient receives a digitally signed message, if the subscribers
public key decrypts the message digest, then the recipient knows to a
mathematical certainty that the subscriber�s private key must have
encrypted the message. If the certificate indicates that the subscriber
is the same person purports to have sent the message, then the
recipient knows the signature is authentic (assuming the certification
authority inspires sufficient trust and the certificate is listed as
valid and not revoked on the C/As database). This part of the process
provides evidence of authentication. Once the digest is decrypted, the
recipient can run the message through a hash function and, if the
resulting digest matches the digest that was sent in encrypted form,
then the recipient know that the message has not been altered. In other
words, this process of sending an encrypted message digest along with a
message can provide solid proof of authentication and message
integrity.

But, what about access control, confidentiality and
non-repudiation? Access control can be achieved based on a digital
certificate quite easily today. In fact, standard browsers come with
the Secure Sockets Layer (SSL) protocol built in. The current version
protocol (SSL3) allows for the automatic exchange of digital
certificates between a web browser and a web server, thus creating
cross-authentication. This information can form the basis of a server
program that only allows browsers with certain certificates into secure
areas of the web site. Hence, SSL3 can be used to control access to
network resources based on the identity of the party seeking to use the
resource. Though the basic formulation for a digital signature does not
require that the message be encrypted, if the message were encrypted,
then the contents would be confidential. Finally, non-repudiation can
be achieved by keeping records of the original message, the associated
encrypted message digest and the attached digital certificate. With
these items, if the sender of the message later attempted to deny
having sent the message, then it could be shown that: 1. his public key
decrypts a given message digest; 2. that message digest corresponds to
the message in question; and 3. the relevant certification authority
listed his certificate as valid at the time of the transaction. To
pinpoint the time of the transaction, a digital time stamp service or
other general server logs may also be necessary.

The State of the Law and Legislative Initiatives

Today, there exist a number of legal requirements for transactions
to be evidenced by a "writing" or to be "signed." The most commonly
referenced signature requirement is the Statute of Frauds. However, a
large number, perhaps thousands, of federal, state and local laws,
regulations and ordinances also call for a "writing" and a "signature."
Some of these laws specifically require the writing to be on "paper"
and the signature to be "in ink." These so-called quill pen laws have
caused anomalous legal results from the use of technology as widely
accepted as the fax machine.

In the notable case of Gilmore v Lujan, the requirement for
a lease to be signed was rigidly adhered to by a federal agency when
the agency killed a significant business transaction based solely on a
faxed rather than ink signature. The court admonished the agency for
their harsh and unreasonable application of a regulation requiring a
"holographic signature," but recognized the right of the agency to so
act based on the law as written. The court noted:

While in this instance, denial produces a harsh result, a telefaxed
signature is a machine produced signature. It is the exact situation
the amended regulations sought to address. . . The decision we reach
here is compelled by the narrow scope of the court's review of agency
decisions. Obviously the equities favor Gilmore, as he is guilty of no
omission but use of the United States mails. Eight days for delivery of
mail from Nebraska to Nevada far exceeds the time it should take.
Indeed, the Pony Express could have covered the distance with time to
spare.

Justice Holmes observed that citizens dealing with their government
must turn square corners. > Rock Island, Arkansas, and Louisiana
Railway Co. v. United States, 254 U.S. 141, 143, 41 S.Ct. 55, 56, 65
L.Ed. 188 (1920). Gilmore turned all but the last millimeter, but that
millimeter, whose traverse is jealously guarded by the BLM, was his
undoing. Relief to Gilmore in this narrow case would expose BLM to no
fraud or risk of fraud, as his bona fides are beyond question. If
Gilmore and those other few luckless applicants whose documents are
stored rather than delivered by the Postal Service are to get any
relief, it must come at the hands of the BLM. As shown by this case,
those hands are more iron than velvet

The case of State ex rel. Ashcroft v Blunt is equally
noteworthy for its different emphasis. While out of state, Governor
Ashcroft, of Missouri, signed by hand and transmitted by fax various
documents, including eleven appointments, two proclamations, two
commissions, one appointment as special commissioner or referee and
even one extradition order. . The court held that the use of a fax
machine to communicate official acts of the Chief Executive of the
state was valid. In fact, the attention of the court was on the
question of the Governor�s authority to exercise executive power while
out of state, based on the state�s constitution. The court�s focus was
on the appropriate issue - that of authority and the validity of the
underlying transaction - not fixated on the particular medium used.

Chapter 111 Section 70 of the Massachusetts General Laws is an
example of health care legislation that, by its explicit terms, does
not appear to allow for a transition to electronic media - even if it
could be shown that such a transition would clearly provide superior
efficiency, confidentiality and promote the public interest. The
statute reads, in pertinent part:

Hospitals or clinics subject to licensure by the department of
public health or supported in whole or in part by the commonwealth,
shall keep records of the treatment of the cases under their care
including the medical history and nurses' notes. Such records may be
made in handwriting, or in print, or by typewriting, or by the
photographic or microphotographic process, or any combination of the
same. Whenever preexisting records shall have been photographed or
microphotographed and the photographs or microphotographs shall have
been duly indexed and filed, such hospital or clinic upon notifying in
writing the supervisor of public records referred to in chapter
sixty-six may destroy the original records so photographed or
microphotographed, and such photographs or microphotographs shall have
the same force or effect as the original records from which they were
made.

The present statutory and judicial framework for writings and
signatures has become antiquated and leads to unpredictable, even
anomalous results. This state of affairs has generated some uncertainty
among current and would-be adopters of this technology. This has
impeded the natural flow of the market. It is precisely this state of
affairs which has prompted recent legal initiatives to recognize
digital and electronic communications.

On a state level, there has been a surprising amount of activity in
the area of digital signature legislation. The first state to adopt
such a law was Utah. The Utah law, enacted in 1995 and amended in March
of 1996 is widely recognized as an important and positive first step
toward legal recognition of digital signature technology. The Utah act
provides for the licensure of certification authorities by the Utah
Department of Commerce. Utah's law also details the rights and
liabilities of parties to a transaction using public key cryptography
and a licensed certification authority. Washington state adopted
legislation closely resembling the Utah law early in 1996. Other
states, most notably Georgia, began considering Utah modeled bills and,
for a time, it seemed a consensus was developing among states.

While a number of states have considered using the Utah act as a
model, various policy issues have increasingly moved states toward less
regulatory, less technology specific and more incremental approaches.
For example, the states of California and Arizona enacted legislation
permitting use of digital signatures for transactions with public
entities in each state, respectively. This legislation authorized their
Secretaries of State to promulgate regulations to achieve the purpose
of the act. Still other states passed laws permitting the use of
electronic signatures for particular purposes, such as for medical
records in the state of Connecticut or for budget and accounting
purposes, such as electronic check signing by the Treasurer of the
state of Delaware. Georgia, and a number of states that had legislation
resembling the Utah act, allowed the bills to die and opted for further
study.

Today, a new trend is developing among legislative drafters and
policy makers. The state of Massachusetts, notably, exemplifies an
effort to craft laws that directly address the legal issues raised by
electronic commerce but do not exclusively enshrine public key
cryptography in statute. This approach seeks to remove legal obstacles
to electronic communications and transactions generally, by giving
legal effect to electronic signatures and electronic records. The law
would also specifically provide for the admissibility of electronic
signatures and records. The draft proposed statute reads, in pertinent
part:

Section 1. Definitions.

As used in this chapter, the following terms shall have the following meanings:

"Record" means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is

retrievable in perceivable form. The term "record" includes both electronic records and written records.

"Signed" or "signature" means any symbol or method executed or adopted by a party with present intention to be bound by or

to authenticate a record, including electronic or digital methods.

Section 2. Electronic Records.

(a) Where any rule of law requires a writing or provides for certain consequences in the absence of a writing, that rule is

satisfied by an electronic record.

(b) In any legal proceeding, nothing in the application of the rules
of evidence shall apply so as to deny the admissibility of an

electronic record into evidence on the sole ground that it is an electronic record or that it has been retrieved in perceivable

form from an electronic or other medium. An electronic duplicate of a record or any perceivable reproduction of a record that

accurately reproduces the original is admissible to the same extent
as the original record unless or in the circumstances it would

be unfair to admit the duplicate in lieu of the original. In
assessing the evidentiary weight of an electronic record, the trier of
fact

may consider any relevant information or circumstances, including the manner in which the record was created, stored, and

communicated and the reliability of such processes.

(c) The recipient of a record may establish reasonable requirements with respect to the choice of medium, absent agreement to

the contrary.

(d) This section shall not apply when:

(i) its application would be inconsistent with the manifest intent of the parties, or

(ii) its application would involve a construction of a rule or law
that is clearly inconsistent with the manifest intent of the law

making body or repugnant to the context of the same rule or law, provided that the mere requirement that a record be "in

writing" or "written" shall not by itself be sufficient to establish such intent.

(iii) [Specific exceptions - under development]

Section 3. Electronic Signatures.

(a) Where any rule of law requires a signature, or provides for certain consequences in the absence of a signature, that rule is

satisfied by an electronic signature.

(b) In assessing whether an electronic signature was executed or adopted with respect to a record by a particular person, the

trier of fact may consider any relevant information or circumstances, including whether the signature is unique to the signer,

unauthorized persons had the opportunity to create the signature, the signature is capable of verification, the signature is

invalidated if the record is altered, and the reliability of the method used to create, store, and communicate the signature was

appropriate for the purposes for which it was created.

(c) Where any rule of law requires a signature to be notarized or acknowledged for filing with any agency, department, board,

commission, authority, political subdivision, or other
instrumentality of the commonwealth, that rule is satisfied by an
electronic

signature that meets standards established by the secretary of the commonwealth.

(d) The recipient of a record may establish reasonable requirements with respect to the method used to sign the record.

(e) This section shall not apply when:

(i) its application would be inconsistent with the manifest intent of the parties, or

(ii) its application would involve a construction of a rule or law
that is clearly inconsistent with the manifest intent of the law

making body or repugnant to the context of the same rule or law, provided that the mere requirement of a "signature" or that a

record be "signed" shall not by itself be sufficient to establish such intent.

(iii) [Specific exceptions - under development]

The United Nations Commission on International Trade Law (UNCITRAL)
recently proposed a Model Law on Electronic Commerce. The UNCITRAL
Model Law takes high level, enabling approach to electronic signatures
and records, with no mention of digital signatures or cryptography. The
UNCITRAL model law reads, in pertinent part, as follows:

Article 6. Writing

(1) Where the law requires information to be in writing, that
requirement is met by a data message if the information contained
therein is accessible so as to be usable for subsequent reference.

(2) Paragraph (1) applies whether the requirement therein is in the
form of an obligation or whether the law simply provides consequences
for the information not being in writing.

(3) The provisions of this article do not apply to the following [...].

Article 7. Signature

(1) Where the law requires a signature of a person, that requirement is met in relation to a data message if:

(a) a method is used to identify that person and to indicate that
person's approval of the information contained in the data message; and

(b) that method is as reliable as was appropriate for the purpose
for which the data message was generated of communicated, in light of
all the circumstances, including any relevant agreement.

(2) Paragraph (1) applies whether the requirement therein is in the
form of an obligation or whether the law simply provides consequences
in the absence of a signature.

(3) The provisions of this article do not apply to the following [...].

The National Conference of Commissioners for Uniform State Law have
been guided by the UNCITRAL approach in drafting efforts to revise
Uniform Commercial Code Article 2, covering the sale of goods, and the
soon to be proposed Article 2B, covering the license of digital
information. The current legislative draft of electronic signature
legislation for the states of Illinois and Oklahoma contain similar
language and represent a similar approach. The Commonwealth of
Massachusetts electronic signature law and policy web site, available
at <http://www.state.ma.us/itd/legal>, contains the text, or
links to, these and other relevant legislative proposals and
enactments. There is an emerging realization that electronic signature
statutes should be broad and general, while the policies, regulations
(if any) and contracts will be more detailed and flexibly responsive to
particular technologies used in particular circumstances.

Largely unnoticed, but also very significant, is the new federal
Health Insurance Portability Act of 1996. This law contains provisions
that would establish standards and requirements for the electronic
transmission of certain health information. Most notably, the act
specifically addresses the role of electronic signatures in health care
transactions. The act provides for the adoption of "standards
specifying procedures for the electronic transmission and
authentication of signatures" with respect to the broad range of
transactions covered by the act. Of particular relevance, the drafters
specifically provided that electronic signatures that comply with the
standards promulgated by Health and Human Services shall "be deemed to
satisfy Federal and State statutory requirements for written
signatures." While it remains to be seen whether the Secretary of HHS
will deem fit to adopt technology specific or more general regulations,
it is clear that legally recognized electronic signatures and records
are on the verge of common usage in the American health care - a very
significant national economic cluster.

There are several policy factors favoring a Massachusetts style
approach to electronic records and signature legislation. While the
capabilities of a widely used global public key system would be
staggering, the technical infrastructure necessary to enable such a
system is still years away. Given the dynamic and unpredictable nature
of technological evolution, there is still good reason to refrain from
definitive expectations about the shape, scope and type of
international information security systems of the future. Yet, in the
meantime, business, health care, education, government and other key
economic sectors are moving toward business uses of existing
technology, such as e-mail, moving documents and programs (file
transfer protocol), and basic web browsing (hyper text transfer
protocol). Other security systems are providing some or all of the
essential elements of network communications security, from elaborate
biometric devices (for finger prints or retina scans) to simple
software security requiring a password or other PIN. The law, and
attorneys in particular, must take account of this reality so as not to
deny the legal effect of legitimate transactions that happen to occur
electronically and to lend needed stability and predictability for
these activities. As technology changes and the market emerges, more
detailed state law will always be an option for individual or uniform
statutes. The use of public key cryptography and certification
authorities would more than qualify for legal recognition under the
Massachusetts approach. The Massachusetts approach is consistent with
the recent UNCITRAL Model Law and would provide a relatively simple
legal expression for all fifty states and the federal government to
adopt, thus providing a needed base-line for electronic commerce.

Conclusion

The legal profession, and society in general, stands at the cusp of
a profound change - a revolutionary shift to the digital age. A number
of voices have sounded the alarm to beware of the "wild west" of
cyberspace. Some advocate enactment of an array of protective
comprehensive statutes, tailored to meet the special host of issues
presented by the new information technologies. It is doubtful that any
particular suite of laws would be sufficient, or desirable, as a legal
response to the information age. It may be more accurate to say that
nearly all fields of law will undergo a transition that reflects and
shapes the underlying movement toward electronically based information
and communication. When our civilization transition to the industrial
age, our legal system did not adapt by the mere addition of a new area
of "industrial law." Rather, nearly every area of law was transformed
by, and helped to create, the new economic, social and political
realities associated with the industrial revolution and our subsequent
industrial civilization. Similarly, the pervasive information
revolution will relegate many currently familiar concepts to irrelevant
historical curiosities. The meaning of a signature will certainly be
among the definitions to evolve. Yet, the law has proven to be
resilient and capable of undergoing dynamic reshaping over the
centuries. Our principles of due process, open society, economic
freedom and self-government remain ageless beacons. We would be better
served by more calls to constructive action, rather than the frequent
vague alarms sounded about the coming digital revolution. The change is
coming - indeed it is already upon us - and the bar must rise to the
challenge as a stabilizing and proactive force during the exciting
transition period ahead.

Appendix H: E-Mail to UNCITRAL List Serve.

(This e-mail list is run by Temple Law School Professor Amy
Boss, and is an example of a valuable online forum in which the public
debate over electronic commerce policy is beginning to be had. [NOTE:
this message occurred in the context of a larger discussion and is
provided only as flavor for the valuable dialogues now underway. The
names of other correspondents have been edited out of this excerpt])

Subject: Re: Licensing CAs -Reply

Date: Fri, 18 Jul 1997 12:27:23 -0400

From: Dan Greenwood <dan@CIVICS.COM>

Reply-To: Digital Signature discussion <DIGSIG@VM.TEMPLE.EDU>

I would like to respectfully challenge some of the assumptions that
underlie . . . arguments [submitted to this list] for a Utah style law
and against technology neutral, minimalist law.

[it has been stated on this list]:

"The draft California regulations even allow individual agencies to
determine for themselves whether a digital signature even needs to be
validated against a certificate at all, so presumably any village idiot
that can create a public/private key pair can digitally sign something,
without having that signature vouched for by anyone."

That is correct. A lot depends on who you think should be in charge
of decisions. Do we regard agencies and citizens as village idiots or
do we assume some minimal capacity for rational decision making? My
agency uses public/private key pairs in a number of ways, including an
implementation of PGP without the benefit of a trusted third party.
This has worked fine for the purposes it was intended. We also use
CyberTrust as an outsourced semi-open style CA. Banks and other
financial institutions can generate their key pairs and get a
certificate from CyberTrust after the Commonwealth vouches for their
identity as authorized users of a particular system. We also use key
pairs that are generated as part of an SSL2 session which merely
encrypts http data but does not authenticate the parties or devices in
a transaction. [Expressions of] dismay at allowing agencies to consider
various PKI (and non-PKI) security options for the purpose of deploying
cost-effective and tailored systems do not make sense to me. I believe
the opposite is true. Decision making should be pushed down to the
lowest level practicable at this early phase of development in the
market.

Lets face it, there is NO PKI TODAY. It does not exist. The CAs are
neither accredited, cross-certified or licensed in a uniform manner.
The ABA Guidelines were, and remain, a nice try. They raised the right
questions and have lead to the right types of activity. Though they are
unambiguously inappropriate for legislation, they are a fine place to
begin (not to end) the broader dialogue on business, technical, legal
and policy directions. There is NO RUSH. In fact, time is our friend.
In the Commonwealth, it seems that every time we reconfigure our
servers or talk to another information security vendor or look at our
statutes in a fresh light, we sharpen our thinking and evolve our
perspectives about the best way to proceed. Electronic commerce is
moving fine without comprehensive regulatory and proscriptive rule
making. It aint broke. However, we have it in out power to do some
serious damage to the market that drives these evolving solutions with
a few well meaning, but ill-advised statutes.

[it has also been stated on this list]:

"Although Massachusetts would at least require a certificate, they
would allow a digital signature to be substituted for a notarized
signature, but without any of the protections provided by a
licensed/accredited CA, or any legislative determination of who bears
what risk of loss."

It is true that Massachusetts does require a certificate for some
transactions (we came up with our technical and business requirements
all by ourselves without so much as a statute to guide us - or limit
us). However, it is not accurate that a notarized signature would
necessarily be substituted for a digital signature. In our current
draft, we only say that where any rule of law requires a signature to
be notarized or acknowledged for filing, that rule is satisfied by an
electronic signature that meets standards established by the secretary
of the commonwealth. The Secretary could determine that a digital
signature is necessary and that it must be verifiable with reference to
a certificate issued be an accredited CA. In fact, I project that this
is likely to be among the methods that would be found acceptable in the
Commonwealth because we are among the lead states in the accreditation
efforts for CAs. However, I don't know what you mean by the
"protections provided" by accreditation. It is clear what you might
view as "protections" from Utah style licensing - statutory warranties,
presumptions, liability limits (though these all seem to weight
protection heavily in favor of certain parties). But with
accreditation, the protection would be, at best, more like the
protections you get by an accurate label on a product or an accurate
rating of a bond. You could term this "quality assurance" - but I think
"protection" goes beyond what we need to be doing at this stage by
statute. Your further point about the lack of legislative determination
of who bears what risk of loss is considered a feature -`not a bug. Our
proposal does not presume to tamper with existing bodies of law in this
regard. If a large scale or widely used implementation of PKI arises
and deserves special treatment in legislation we can handle that when
the time comes. I really fail to see the merit in pretending to know
how the market will evolve and preemptively apportioning risks between
private parties for products they are not yet using and problems they
have not yet had. I bet we will see a suite of problems - but they will
largely consist of causes and results that we can not predict today. It
is prudent to wait and see how the market evolves, what problems
emerge, and then to tailor legislative action where necessary to
address those issues.

[it has further been stated on this list]:

"Without any statutory basis for differentiation, I am very much
afraid that the courts might be forced to accept a simple e-mail
"signature" as the legal equivalent of a cryptographic digital
signature, despite the obvious difference in reliability. Whether this
could be handled by attorneys arguing the "preponderance of the
evidence" I don't know. But I do know, having talked to many corporate
attorneys, that many businesses might suddenly decide that the legal
uncertainty surrounding digital signatures was suddenly too great, and
would offset any possible advantage in electronic commerce."

I appreciate the gravity of this point, but I respectfully disagree
with the premise and the conclusion. The premise that courts might be
"forced to accept" a simple electronic signature as the equivalent of a
cryptographic signature because they have no statute to guide is not
warranted. Every court case occurs in a fact specific and law specific
context. If a dispute arises in which reliance was unreasonable on a
simple electronic signature (of the typed and e-mailed variety) then we
should either trust courts to come to that conclusion or we need to
reconsider our judicial system as a whole. No matter what happens with
legislation, as electronic commerce gains wider acceptance, we will see
more litigation. It is not reasonable to imagine a jurisprudence will
emerge that fails to distinguish between better and worse security
because there is no statute laying down the law. Courts do this all the
time. That is why we pay the judges. Let them do their jobs.

[The] final point that legal uncertainty surrounding digital
signatures may "suddenly" be found to be too great and would result in
slower adoption or reversal of electronic commerce tools by business is
a very serious allegation. I think electronic commerce, in general, is
a good thing and should be promoted. However, the creation of certainty
by statute is not necessarily the optimal first step. The certainty
created by the UCC took decades to develop (and is still in flux) and
reflected - not led - business practice. We can easily create certainty
by statute, but the question of the desirable exact scope and content
of those statutes has yet to be determined and, in the area of PKI, law
makers should make those determination based on markets that have
already emerged. No government has ever regulated a market into
existence. We shall not do so with PKI legislation. This market will
emerge as a result of the interplay between supply and demand - and
that is how it should be. Is it true that rational business people
would chose not to enter this market in the absence of legislation
giving them liability limits, special evidentiary presumptions and a
list of proscriptive business process and technical requirements to
follow? It so, then the market is not ready to emerge. If, on the other
hand, the market is viable and capable of standing on its own, then we
have a public duty to create a sound legal infrastructure to support
it. That includes attacking regulation, unwise taxes, bizarre
industrial age writing/signing laws and other defined obstacles. In
time, we may also wish to enact some of the legal models proposed by
members of this list. Those decisions should be based on a close
examination of the market and any problems that can be conclusively
linked to defined market failures and for which there is a high
likelihood that legislative action is the most appropriate tool to
remedy the problem.

[Finally, it has also been stated on this list]:

"I confess that I am somewhat dismayed by all of this, for it as
though the last five years of intensive effort that over 100 of us
invested in trying to draft the ABA Guidelines has gone for naught, as
the individual states and the various vested interests have all gone
off in their own individual directions."

Don't despair, we are engaged in a longer (and better) process than
you previously thought you had signed up for. It is fair to say that
the last five years of work by one committee of one division of one
section of one professional association (the ABA) of one country did
not result in the final word on this matter. Though I was quite late to
the process, my name is also on the ABA guidelines as a Contributing
Author. Thanks to the work of the committee, and Utah, and several
other sources, we are now in a position to work out more of the issues
than we otherwise would have been at this point in time. Did you really
expect states to stand up and salute? We are blessed with a system of
50 legislatures that forces an amazing depth and breadth of critical
debate on such issues. Between the state legislatures, the executive
branches, the courts and the other levels of government now involved in
these matters, I believe we are less likely to arrive at an ill-advised
course of action. However, all branches and levels of government would
do well to resist the impulse to regulate, legislate and otherwise
pronounce on electronic commerce and to get out of the private sectors
way at this vital early phase of market development.